While this plugin doesn't officially support WordPress 3.8 in terms of having it on the WordPress plugin page as a compatible release yet. It does indeed function with WordPress 3.8 which is the version of WordPress this article was written using.

I just installed a fresh copy of the latest WordPress 3.8.1 and tested it out and this plugin still functions.

If you've installed this plugin and are having issues accessing your WordPresss dashboard afterwards, you might want to try clearing your local web-browser's cache. We've seen instances where the server's .htaccess file which contains the redirect code that this plugin uses, gets cached on a users computer, and they can't see the updated changes.

If you're having another specific problem at all using this plugin with the newer versions of WordPress, please let us know!

Sorry for the confusion, your WordPress admin area should still be accessible after you installed the HC Custom WP-Admin URL plugin. You just need use the WP-admin slug that you set from step #8.

If your WordPress dashboard was available at:

http://example.com/wp-admin

If you set your WP-admin slug to secret like my example in this guide. You would then be able to get to your dashboard from:

http://example.com/secret.

Essentially the WP-admin slug you set with this plugin, becomes your new URL for accessing the dashboard going forward.

If you did want to undo the changes made by the plugin, you could edit your .htaccess file in your WordPress directory. Just comment out by placing a # symbol at the front of the line, the one that reads something like:

I used the HC Custom WP-Admin URL procedure but did not notice that in step #8 I needed to add the entire URL for my site and instead just entered a set of letters and numbers. Now I cannot access my WP admin page. Step #8 could have been made more clear if instead of showing the word "secret" you showed an entire URL with /secret at the end. What can I do now?

IN installed the plub in but am getting an error message after changing my slug name and saving the name. now allowing me to write that slug name for some reason. It then asks me to copy some code. I'm not sure what do do here.

This would be caused by your .htaccess file not being writable. You would need to either copy the code provided into your .htaccess file, or adjust the permissions of your .htaccess file to allow writing to it, which would typically be permissions of 644.

This plugin actually doesn't work with WP 3.8.1. Using it caused me to lose access to WP as the slug does not work for login. Additionally, there are much better security plugins that do work. The WP help is mostly out of date and your support staff seems to not know that.

As discussed in the comments above, this plugin does indeed function with the latest version of WordPress and has been tested many times. Make sure that you clear your web-browser's cache prior to attempting to access your dashboard over the new secret URL.

If you're having a specific problem accessing your WordPress dashboard now, you should simply be able to find your .htaccess file, and look for this line:

RewriteRule ^secret/?$ /wp-login.php [QSA,L]

That should be the secret slug you want to use to attempt to access your dashboard now. Unfortunately I was unable to find any account information with us to check on this for you. So if you're hosting with us and still having any issues getting it working please submit a ticket in order for us to investigate what might be wrong with your install.

You can manually disable WordPress plugins in bulk which should disable the custom admin URL plugin and allow you back in regardless. It's also possible you have another plugin that could be interfering with the HC Custom WP-Admin URL plugin, so you could try re-enabling your plugins one at a time till you find an issue.

But I have comments enabled in blog. If I am not looged in, it shows a text "Please log in or register to post a comment and join the discussion." on main blog page. Login link here does not work now. Because it points to wp-login.php and it redirects user to home page.

Your customer support team gave me this article link, and I installed the plugin (great instructions, btw) ... however, because I have a custom login button, it just disabled the login. Of couse I was able to log in by putting the correct slug in ....

Are you able to help me modify the custom login so that it works?

I have had a very bad day with a full site restore needed because of hackers. I would really like to prevent this in the future.

You should be able to simply edit your custom login button to reflect the new secret admin URL slug that you used. You can look at my comment a few responses up talking about modifying the WordPress login link and see if that works for you.

If not, please let us know how you are adding the custom login button, either with a plugin or theme.

I reviewed the suggestions that Jacob suggested above and made the changes for you. Your login link for admin is now based on slug you set up for it. I verified that it's working. Check it out and let us know if you have any further questions.

My next question is the Login button is riding along in the header on every page, so it's confusing for customers because they get an error when they try to log in on a page other than the Home page. Is there a way to move this Login button into the Home page sidebar instead so it only shows on the Home page?

I appreciate so much the help because I don't want to mess it up. I don't know how to remove the login button from the header.

Sorry for the problem there. What was happening was the re-write was trying to load the slug you specified earlier for each page, meaning the URL was being loaded incorrectly. I have corrected it so the error does not appear when you click on the login button. This was a site created by InMotion Web Design, so if you're asking changes to the design it really should go back to them, unless you intend to modify it yourself. You can change what's in the header by simply editing the theme editor so that the LOGIN button is longer at the top. Moving it to another location would require more some design consideration, especially you'd have to either move or resize elements that are already in place.

Apologies that I can't make all of the changes, but I hope this helps to provide a workable solution.

It doesn't look like you had sufficient protection setup, as both your wp-login.php script and /wp-admin directory were accessible to anyone because you had uninstalled the HC Custom WP-Admin URL plugin.

I went ahead and reinstalled that plugin for you and ensured things were setup correctly.

As far as the code Arnel edited for you, as the instructions for modifying the WordPress login link explain, you just open up your /wp-includes/general-template.php file and then add the highlighted code where example.com/custom-wp-link would be your domain followed by the custom URL you setup in the plugin:

Are you able to login now? I simply re-installed the plugin and was able to access the website as normal as well as the admin dashboard. You might have possibly had another .htaccess rule conflicting with the plugin, but I'm not sure what that would have been because it is not present now.

If you're having any issues at all accessing the WordPress admin from your login link, you will want to make sure to clear your web-browser cache to make sure that you are in fact loading up the latest rules.

Yes I am able to login from the site, and it redirects properly to best-customers-ever BUT I am also able to login from wp-login.php, which is what Larry W. in service was supposed to have changed for me.

To foil the Brute Force Attacks, the ability to login from the default login page for Wordpress was supposed to have been blocked, which was happening before we got into the plugin that messed everything up.

Can you please fix this?

This is what I need:

1) client not able to login from wp-login.php *** key for the Brute Force attacks

2) client only able to login by clicking the login button on the site, not through a cached wp-login.php page *** key for Brute Force

3) client able to login from any page on the website with the login button ** key for customer service

Hope that helps - it sure would be easier to talk on the phone rather than have 20 emails back and forth.

I agree that reaching out to live tech support would probably help you resolve this issue better if you continue to have problems.

Unfortunately I've set things up for you and tested them to work, but then the HC Custom WP-Admin URL plugin gets disabled, which re-allows access to /wp-admin and wp-login.php once again which in turns triggers our ModSecurity rules when you have failed login attempts.

I have once again re-enabled this plugin for you, and I can confirm right now that trying to directly go to either of those URLs results in just your front page loading. Using the secret admin slug of best-customers-ever the normal WordPress login page is displayed. This is also still what your template that we edited is having your Login button going to.

If you are not seeing this behavior, then clear your web browser's cache. Or even better open a new Incognito or Private browsing window to ensure that your computer is not caching anything related to the WordPress login. You should see when trying to access either /wp-admin or wp-login.php that your main page will simply be loaded again, but if you click on the Log in link it should work.

If certain users are having issues, and you disable the plugin, it's just going to allow access back to the default admin URLs and possibly trigger a block again. So I'd recommend towards telling all your members to not attempt to log in if their browser happens to say /wp-login.php at the end and only if they are using the Log In button or the secret slug URL.

At this point I am extremely frustrated because I cannot log in, nor can my 60 clients.

I do not want the plugin enabled, but I can't login to remove it.

What I want is what Larry W. in service did, which was change the .htaccess so that a client had to click on the login button manually to log in.

I do not want a secret login anymore, because it is NOT WORKING.

I have cleared all of the caches and used brand-new browsers and it is definitely NOT WORKING.

Please remove the plugin.

In the future, I need someone to phone before making changes to the site. I was kicked off the site when you went in to make changes and the only way I found out was through my cPanel. You can't just go in and boot off people.

Whatever coding got changed in this thread, live support cannot find and fix. Not happy, but more disappointed. Something in the Inmotion cog wheels need to be fixed - the left hand is not working with the right hand.

They have referred me back to yourselves to fix it.

My customers have been unable to login for 2 days now.

The HT plugin has been disabled and removed and I do not want that plugin back in the system.

The problem is now that the login button keeps referring to best-customers-ever and there is no such thing so an error results.

Would you please REMOVE the coding that does this (Arnel I think put it in), and please KEEP the coding in the .htaccess file that was from the article Lock down Wordpress in the section: Dynamic IP address access, limit by referer.

Please test that:

1) customers can only login in via the cognitiveresults.com blue button on the main page

2) customers cannot login via wp-login.php in a cached form - they have to click on a blue button

I'm assuming you were off this weekend, as the comments did not post ...

Just to let you know live support is doing a full site restore to the 16th, along with my database backups. The .htaccess file they are using will have the snippet of code at the top for the redirect in the case of multiple IP addresses. The plugin will not be on there.

I really hope this fixes everything ... my customers have been great about it and not given me grief for not being able to login.

I thought I would let you know so that you don't go in to the files and waste your time looking for code that won't be there. :)

We have not fully tested the use of the WordPress mobile app after changing the admin URL, however, as it is just a rewrite, we assume it will work fine. If you have confirmed it working or not working, let us know so that we can report it to others.

I tried the instructions above serveral times but with no luck. I end up removing the script in .htaccess to be able to login again to the site. I have W3 Total Cache installed in the site, it might be the reason why the plugin is not working. Would it be possible to make HC Custom WP-Admin work with W3 Total Cache? If yes, do you have any instructions on how?

We have tested this plugin alongside W3 Total Cache and have seen that it is working correctly, however, the cache will need to be purchased within the W3 Total Cache plugin as well as your browser cache will need to be cleared to access the WordPress admin correctly.

However, I would highly recommend against suggesting this particular plugin. It has one of the lowest ratings, lowest download numbers, a four month back up in the support forums.

I know plugins are a ton of work to create and maintain and authors sometimes have other priorities. So it's no ones fault, but "Rename wp-login.php" has a perfect score, double the downloads, excellent support and even identifies caching conflicts on activation and recommends the proper action.

I can understand when you have a recommendation based on experience. Please bear in mind that any plugin that needs to be called up for any security event will have a resource cost on the server. If the server is being hit by a large brute force attack, then this may still cause downtime issues. The suggestions made by Jacob provide security changes that help to stop attacks BEFORE a WordPress plugin/process is running. This helps to provide security while also avoiding a large impact on server resources.

"WP Better Security", now known as "iThemes Security" had one of the best ratings history's PRIOR to being purchased by iThemes. Since iThemes purchased the plugin around March of this year and made their changes, it has received approximately 90 Single Star Ratings and 37 Five Star Ratings.

So the current iThemes release of this plugin is about a 1.4 Star out of 5.

I do use iThemes Security on one of my sites and have been happy with it, but you need to look closely at the ratings and read the good and bad to get the full picture. There's currently a lot of angry people at iThemes.

I'd also like to reiterate the Inmotion's support staff's suggestion relating to this article is a very effective and lightweight solution.

Firstly, I do apologise!! You're absolutely right Carl.. it's a shame to think itheme's has butchered this plugin because 'Better WP Security' was (is) great.

Sounds like it could be a similar (although not as severe) situation as Nextgen gallery, man that was an epic fall from grace!

Arn your right, that's something I didn't consider.. again, apologies for providing an inferior option. Personal opinion can obviously be problematic when something works for you.. especially when you haven't considered all angles.

Thanks for the comment - and the compliment! It's all good. We understand that many people have varying opinions and may come from a variety of backgrounds. We just try our best to be fair and open-minded to the opinions expressed. We try to avoid negativity and we hope to relay the best solution - whether it's from our staff or from any one willing to contribute. So, many thanks for your input!

I followed the instructions and downloaded the plugin where this is the 2nd locked out I have had in past week after a mass attack. The plugin installed easily enough and it is working as described. Thanks.

For the record, whatever "slug" you use, it will have to be converted to all lowercase letters when you use it to sign in. Thus, if your slug is "BigMack", you will sign in using "/bigmack" I found this out after a few hours of frustration over not being able to sign into my account! (I kept getting 404 errors.) Maybe everyone in the world already knows this, but I didn't.

Thanks for pointing this out, it does look like when you create your WP-Admin Slug it does mention below it Allowed characters are a-z, 0-9, - and _ excluding any capital letters. That's an easy thing to miss though!

I'll go ahead and update this article as well to hopefully save anyone else from having the same issues.

I just installed the plugin and changed the login link. When I logged out and clicked on the previous login link, it didn't work anymore, just as you mentioned above. However, shortly afterwards, the old login link worked again, meaning I now have to login links - the old one and the new WP slug one.

Do you know why the old login link works again, and if there is anything I can do to only have the new WP slug login link work?

Glad the steps helped you get the plugin installed. After logging in with your /secret WordPress admin slug, you can then access the normal URL as long as you are logged in.

After logging out of WordPress, if you are still able to directly access your WordPress admin login page from either /wp-admin or /wp-login.php then you might want to clear you web browser's cache. It sounds like possibly your computer is caching the old .htaccess file so it isn't requiring the redirect through the secret URL.

If that still isn't working, are you sure that the HC Custom WP Admin plugin is still enabled in WordPress under the Plugins section?

Please let us know if you're still having any problems, or if you have any other questions at all!

Same problem as others. Can't access log-in. Both mainpage/blog/wp-login.php/secret and mainpage/blog/wp-login.php take me to my site's home page. I've cleared cache, cookies and history multiple times.

It sounds like you might be attempting to access your WordPress admin incorrectly. If you've already setup your WP-Admin slug in the plugin settings you would get re-directed to your homepage using either of these URLs:

With the HC Custom WP-Admin URL plugin, you are replacing the wp-login.php with what you set for the WP-Admin slug. So when the plugin is activated you need to access your WordPress admin dashboard with:

http://example.com/blog/secret

Please let us know if you're still having any issues at all getting it to work.

Tried that earlier. I just emptied my cache and tried that again. When I enter that, I get an Error 404 - Page Not Found message. I've tried every blog/secret or wp-login.php/secret or wp-admin/secret derivative I can think of.

If you open up your .htaccess file which in your case sounds like it should be located at /blog/.htaccess, do you see a line like this:

RewriteRule ^secret/?$ /wp-login.php [QSA,L]

This is the RewriteRule that converts your hidden WordPress admin slug to the normal wp-login.php script internally.

Are you sure that you're entering in the same slug that you've set with the plugin? You should be able to verify it with that line.

If you're still having issues, you can simply remove the line manually from your .htaccess file, and you should be able to access your WordPress admin normally again.

If you're still having issues and have your website hosted with us, feel free to comment back with your domain name and we can take a look for you. We can take your domain name out of your comment prior to approving it to be displayed to the public.

Thanks for the help. Our website has a home page that is served out of the root public-html directory, while the blog is served out of the /blog directory. The plugin seemed to have changed the root .htaccess file and not the .htaccess file in the /blog directory.

We manually updated the .htaccess file in the /blog directory, and that allowed us to get to the login screen.

Once logged in, it was redirecting us to the home page rather than the admin tool. So, as mentioned in an earlier comment, we removed the rewrite rule from the .htaccess file in the root public-html directory.

That fixed the issue, and everything is working properly. I wanted to let you know that's what we had to do, in case it helps other customers.

Warning: file(/.htaccess) [function.file]: failed to open stream: No such file or directory in /home/geeksi5/public_html/thepeckfamily.us/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.php on line 137

I got a reply to my previous post though I don't see it here now. I have reactivated the plugin, so of course I can no longer access my site - so please let me know when you are done looking at it. I put in the slug loggins and when I saved I got a white page with just the following errors:

Warning: file(/.htaccess) [function.file]: failed to open stream: No such file or directory in /home/userna5/public_html/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.php on line 52

Warning: fwrite() expects parameter 1 to be resource, boolean given in /home/userna5/public_html/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.phpon line 68

Warning: Cannot modify header information - headers already sent by (output started at /home/userna5/public_html/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.php:52) in /home/userna5/public_html/wp-includes/pluggable.php on line 1121

If I go to the login page now I get the errors I mentioned before and loggin in fails.

It could be that this plugin is interfering with another plugin or it is not properly working with your site not being in the main /public_html directory of the account.

This plugin installed on a fresh copy of WordPress doesn't run into the errors you've mentioned. So I might recommend instead using a secondary WordPress admin password to restrict access to the admin dashboard in your case.

yes this plugin is good and it satisfy my requirment but my requirment also includes likewp-admin should be accessible for certain ip addresss.For e.g http://localhost/wordpress-3.9.2/vc-login xx.xx.xx.xx/wp-adminshould work

It sounds like you might not need the HC Custom WP-Admin URL plugin to protect your WordPress installation. Instead you can simply lock down WordPress admin access by IP address which would look something like this in your .htaccess file:

This would just allow the IP addresses 123.123.123.121, 123.123.123.122, and 123.123.123.123 to access your WordPress admin section.

If the IP addresses change a lot, then I'd recommend that you setup a secondary WordPress admin password. This way you will be prompted for a username and password prior to even getting to the actual WordPress login screen.

You will want to use either the IP restriction or password protection of .htaccess. Using one of those hiding the /wp-admin doesn't matter because once a user successfully hits the secret URL and logs into WordPress they are hitting the normal /wp-admin anyways. So the masking is just an unnecessary step.

I don't know why but the get_home_path function of hc-custom-wp-admin-url.php (starts on line 152 was returning '/' not the home directory for my site where the .htaccess file was actually located. Once I commented out the code and put the proper path to the file in - the plugin started to work.

Hi, I followed the instructions, installed the plugin and changed the URL for login-in into Wordpress. However, after login out, it didn't worked with the new slug I created. For some reasons, I need iThemes Security to login in Wordpress because I can't find the original slug to login into Wordpress. Could iThemes security block HC custom plugin and how can I find the original slug to login into Wordpress (it's not wp-admin, wp-login, ?)

Thanks for the question and sorry for problem you're having. The change to the slug should be happening within your .htaccess file. If it's not working, it could be because it's buried in the file and should be near the top of the file. However, you should be able to determine the slug change within the .htaccess file. You may need to remove or disable the plugins temporarily so that you can see things BEFORE you have added the plugins. If you removed the HC Custom WP Admin URL, then it's possible that the changes in the .htaccess file still exist. The notes above also add that the link change is added in the permalinks page. If it's still loaded, then you should be able to see the entry as noted in the instructions above.

Thanks for the question! The plugin works with the default WordPress admin URLs. The other URL it would work with is www.mysite.com/wp-admin . WWW.mysite.com/admin is NOT a default login, so the plugin was not designed to work with that URL.

If you are being blocked by our mod_security rule you may contact our Live Support team to have it disabled. As long as you follow the other security procedures such as the custom URL then you should be safe from the brute force attacks.

Thank you for your question. It is difficult to say what is wrong, without the specific steps you took when you set this up, and without knowing your version of WordPress and all plugins you are using.

But, most likely this wasn't setup correctly, or there is an existing plugin/.htaccess rule interfering with this functionality.

Your plugin looks very cool and very eaasy to use. Unfortunately it doesn't work properly on my website :(. I do everything right: the wp-admin et wp-login.php pages are well redirected to my homepage, that's great. I enter my new login page url (ex : www.mywebsite.com/secret) and as expected i see my the usual wordpress admin login form. I enter my ID and my password, press enter and then i don't access to my admin but i'm redirected to my homepage.

I need your help. Whenever I try to go to the wp-admin page, I am getting an error message saying:

Warning: file(/home/user/public_html/my site/.htaccess) [function.file]: failed to open stream: No such file or directory in /home/user/public_html/my site/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.php on line 137Warning: implode() [function.implode]: Invalid arguments passed in /home/user/public_html/my site/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.php on line 137Warning: Cannot modify header information - headers already sent by (output started at /home/user/public_html/my site/wp-content/plugins/hc-custom-wp-admin-url/hc-custom-wp-admin-url.php:137) in /home/user/public_html/my site/wp-includes/pluggable.php on line 941, 942 ,943 ........

When I try to log in with my user account it says:

ERROR: Cookies are blocked due to unexpected output. For help, please see this documentation or try the support forums

What should I do? PLease, help me to solve this. Thanks a lot, beforehand

I need to say thank you for this plugin. It really saved me. ALL the other lockdown plugins bar NONE did not work work for me. This one did. Follow the instructions - especially the one in the comment about changing the code for wordpress 4.1 and it SHOULD work. Thanks again my firend

I was facing a serieus bruteforce login hack on the admin accound. The plugin you suggested in this article does not work anymore... but there is a great alternitive! just search for "Rename wp-login.php"

Thanks for the concern. The plugins will always vary - there may be a solution provided that is suggested because of what it does, and then another may appear later which is better. So your comment is well taken. If you want a more up-to-date security plugin, check out Clef two-factor authentication.

Thanks for your reply. I'll check out Clef Two, but I've already discovered and installed two plugins on two sites that seem to be doing a super-dandy job. They are WordFence and iThemes Security. I'm curious what you would say about those plugins.

Getting back to the 2 yr comment about HC, I find most I.T. guys warn about using plugins that are not updated due to security concerns. I have used several hosting providers in the past, (in process of moving all my sites to IMH), but find InMotion to be the best hands down! So I'm surprised a top notch hosting company like yours would not follow suit with what seems to me to be the industry norm.

Two days ago was the first time I saw that our site was under attack and access blocked. Now off line waiting I am reading this thread...the original suggested plug in seems to have left many users in trouble but there have not been many recent comments....i am afraid to use the original plug in....anything more recent?

Thank you for contacting us. Yes, it looks like this plugin has not been updated in several years, and is no longer compatible with the latest version of WordPress.

I recommend using a different security plugin, here are some of our recommended security plugins. Be sure to use plugins that are compatible with your version of WordPress. I also like to use plugins that are updated recently.

Sorry for the problem with accessing your WordPress admin. We are unfortunately unable to duplicate your problem. I can access your WordPress admin and cPanel seems to be working with no problem. A 406 error is security related. If you're still getting the problem, can you please describe the exact steps you're taking to duplicate the error? You're also welcome to contact our live tech support team for immediate assistance if the 406 error occurs again. Check out this article for further information about the 406 error.

As per the warning above, the plugin had not been updated in years, so it's very likely that the plugin has been removed from the WordPress site. There are many alternatives now, that you may want to check. This is an example of one that was integrated into WordPress's popular Jetpack plugin: BruteProtect.